On Tue, Mar 02, 2010 at 08:25:06PM -0800, Benjamin Krueger spake thusly: > This is only one professional's opinion, but I would never buy the > argument that anti-virus and rootkit checks are only for Windows and > that Unix is somehow immune such that it doesn't require them. My > QSA certainly wouldn't buy that either. You can make the "commonly
Dragging this up again from back in March. I found the following shortly after our conversation. Since I just referred someone else to it I'll relight this fire and send it to you all as well: Refer to "Navigating PCI DSS" from the PCI Security Standards Council which provides guidance on the interpretation of the requirements: https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf Requirement: 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). Guidance: While systems that are commonly affected by malicious software typically do not include mainframes and most Unix systems (see more detail below), each entity must have a process according to PCI DSS Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. Trends in malicious software related to operating systems an entity uses should be included in the identification of new security vulnerabilities, and methods to address new trends should be incorporated into the company's configuration standards and protection mechanisms as needed. Typically, the following operating systems are not commonly affected by malicious software: mainframes, and certain Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can change quickly and each organization must comply with Requirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and processes accordingly. They do not mention Windows specifically because of the political implications of calling them out as abnormally prone to viruses and they do not mention Linux specifically because there are so many different ones. But AIX, Solaris, and "HP-Unix" are specifically named. This makes it pretty clear that you don't have to have antivirus on your in-scope Solaris systems. This is a small requirement of the standard but major operational pain in the butt. Daily updates (at least) is the standard for antivirus definitions these days. Can you imagine somehow ferrying virus definition files into your private network which has no direct Internet access because PCI says your AIX machine needs antivirus? Who is going to sell you antivirus for AIX anyway? -- Tracy Reed http://tracyreed.org
pgpz7GxsCAAu0.pgp
Description: PGP signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
